package com.imooc.security.filter;

import com.imooc.security.entity.TokenInfo;
import com.imooc.security.log.AuditLog;
import com.imooc.security.log.AuditLogRepository;
import com.netflix.zuul.ZuulFilter;
import com.netflix.zuul.context.RequestContext;
import com.netflix.zuul.exception.ZuulException;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;
import java.util.Date;

/**
 * @ClassName AuthorizetionFilter
 * @Description TODO 授权过滤器
 * @Author wushaopei
 * @Date 2021/5/3 19:27
 * @Version 1.0
 */
@Component
@Slf4j
public class AuthorizetionFilter extends ZuulFilter {

    @Autowired
    private AuditLogRepository auditLogRepository;

    @Override
    public String filterType() {
        return "pre";
    }

    @Override
    public int filterOrder() {
        return 3; // 在审计过滤器后
    }

    @Override
    public boolean shouldFilter() {
        return true;
    }

    @Override
    public Object run() throws ZuulException {
        log.info("authorization start");
        RequestContext requestContext = RequestContext.getCurrentContext();
        HttpServletRequest request = requestContext.getRequest();

        if(isNeedAuth(request)){
            //需要认证,从request取出AuthFilter放入的tokenInfo
            TokenInfo tokenInfo = (TokenInfo)request.getAttribute("tokenInfo");
            // 拿到tokenInfo且可用,不为空且为激活状态
            if(tokenInfo !=null && tokenInfo.isActive()){
                // token可用但没有当前请求的应用的权限
                if(!hasPermission(tokenInfo,request)){
                    //没有权限
                    log.info("audit log update fail 403 ");
                    //更新审计日志 ，403
                    Long auditLogId = (Long)request.getAttribute("auditLogId");
                    AuditLog log = auditLogRepository.findById(auditLogId).get();
                    log.setModifyTime(new Date());
                    log.setStatus(403);
                    auditLogRepository.save(log);
                    // 处理错误的统一方法
                    handleError(403,requestContext);
                }
                //走到这里说明权限也通过了，将用户信息放到请求头，供其他微服务获取
                requestContext.addZuulRequestHeader("username",tokenInfo.getUser_name());
            // token不可用
            }else {
                // 只有请求URI不带"/token" 的才报handleError，因为带"/token"的是登录的时候才有，此时是生成Token令牌，不可能有token是可用的
                if (!StringUtils.startsWith(request.getRequestURI(),"/token")){
                    log.info("audit log update fail 401");
                    Long auditLogId = (Long)request.getAttribute("auditLogId");
                    AuditLog log = auditLogRepository.findById(auditLogId).get();
                    log.setModifyTime(new Date());
                    log.setStatus(401);
                    auditLogRepository.save(log);
                    // 认证失败，没有tokenInfo，报错,修改审计日志状态
                    handleError(401, requestContext);
                }
            }
        }
        return null;
    }
    /**
     * 处理认证失败或者没有权限
     * @param status http状态码
     * @param requestContext
     */
    private void handleError(int status, RequestContext requestContext) {
        requestContext.getResponse().setContentType("application/json");
        requestContext.setResponseStatusCode(status );
        requestContext.setResponseBody("{\"message\":\"auth fail\"}");
        requestContext.setSendZuulResponse(false);
    }
    /**
     * 认证成功，看是否有权限
     * TODO：从数据库查询权限，这里直接返回
     * @param tokenInfo
     * @param request
     * @return
     */
    private boolean hasPermission(TokenInfo tokenInfo, HttpServletRequest request) {
        return true;//RandomUtils.nextInt() %2 ==0;
    }
    /**
     * 判断当前请求是否需要认证
     * TODO:查数据库判断权限
     * @param request
     * @return
     */
    private boolean isNeedAuth(HttpServletRequest request) {
        return true;
    }
}
